The Environmental Protection Agency (EPA) has recently alerted the public to the alarming fact that nearly 70% of the United States’ community drinking water systems are failing to comply with the Safe Drinking Water Act, including the cybersecurity standards it outlines. This revelation comes in the wake of increased cyberattacks on the nation’s water systems, particularly from Russia and Iran, prompting the agency to implement new enforcement plans to address this critical issue.
The EPA’s alert underscores the severity of the situation, citing a range of cybersecurity vulnerabilities that could have devastating consequences, such as disrupting water treatment, distribution, and storage, damaging essential infrastructure like pumps and valves, and even altering chemical levels to hazardous amounts. In response, the EPA has announced plans to increase the number of inspections to ensure water systems are regularly assessing their cybersecurity resilience and developing emergency response plans.
As part of the initiative, the EPA has released a comprehensive outline titled “Top Actions for Securing Water Systems,” which includes essential steps like reducing exposure to public-facing Internet, conducting regular cybersecurity assessments, changing default passwords, conducting an inventory of OT/IT assets, and developing and exercising cybersecurity incident response and recovery plans, among others.
Furthermore, the agency is establishing a task force to identify additional near-term actions and strategies to reduce cyber risks for water and wastewater systems nationwide. It also warns that civil and criminal enforcement actions will be taken against systems that fail to adhere to the cybersecurity standards.
This latest alert from the EPA is part of a series of warnings issued by federal authorities in response to escalating cyber threats targeting water systems. Recent attacks, like one on the Municipal Water Authority of Aliquippa in Pennsylvania by an Iranian state-sponsored group, highlight the vulnerability of these critical infrastructures to malicious actors. Despite pushback from water industry groups against regulations, the government has proposed new cybersecurity funding for rural water systems to bolster their defenses.
Chris Warner, an OT security strategist at GuidePoint Security, points out that a lack of qualified cybersecurity personnel and understanding of control systems are persistent challenges in safeguarding water and wastewater facilities. To address this issue, the EPA is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to provide guidance, training, and resources to enhance the cybersecurity posture of water systems.
Warner emphasizes the importance of continued federal involvement in water and wastewater cybersecurity, stating that coordinated efforts and comprehensive approaches are essential to mitigating the risk of cyberattacks on critical infrastructure. By shining a spotlight on this issue and promoting collaboration, the government can significantly reduce the threat posed to water systems and safeguard essential services for the community.